Base Process Library. The TickITplus scheme. Version Release

Transcription

1 Base Process Library The TickITplus scheme Version Release

2 International TickITplus Association 2016 You are free to use this publication in the progress of developing an IT quality management system based on the principles of the TickITplus scheme. You are not allowed to sell, distribute, copy, replicate or in any other means distribute this publication for commercial gain. While every care has been taken in developing and compiling this publication, ITA accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law. While every effort has been made to trace all copyright holders, anyone claiming copyright should contact the International TickITplus Association. ITA has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate. ITA 2016 BPL Version

3 Contents PREFACE... 4 ACKNOWLEDGEMENTS... 5 ITA BPL WORKING GROUP MEMBERS... 5 INTRODUCTION OVERVIEW COVERAGE SCOPE PROFILES USE OF THE PROCESS DESCRIPTIONS BPL APPLICABILITY TICKITPLUS PROCESSES ORG.1 HUMAN RESOURCE MANAGEMENT ORG.2 MANAGEMENT FRAMEWORK ORG.3 CORPORATE MANAGEMENT AND LEGAL ORG.4 INFRASTRUCTURE AND WORK ENVIRONMENT MANAGEMENT ORG.5 IMPROVEMENT ORG.6 MEASUREMENT AND ANALYSIS ORG.7 CUSTOMER FOCUS ORG.8 RISK MANAGEMENT ORG.9 PROGRAMME MANAGEMENT ORG.10 LIFECYCLE MODEL MANAGEMENT ORG.11 RESOURCE MANAGEMENT ORG.12 SECURITY MANAGEMENT PRJ.1 PROJECT MANAGEMENT PRJ.2 DECISION MANAGEMENT PRJ.3 CONFIGURATION AND CHANGE MANAGEMENT PRJ.4 INFORMATION MANAGEMENT PRJ.5 PROBLEM AND INCIDENT MANAGEMENT PRJ.6 IT FINANCE MANAGEMENT PRJ.7 MANAGEMENT REPORTING TEC.1 DATA MANAGEMENT TEC.2 CAPACITY MANAGEMENT TEC.3 INTEGRATION MANAGEMENT TEC.4 VERIFICATION TEC.5 VALIDATION TEC.6 TRANSITION AND RELEASE MANAGEMENT TEC.7 OPERATIONS MANAGEMENT TEC.8 MAINTENANCE MANAGEMENT TEC.9 DISPOSAL TEC.10 STAKEHOLDER REQUIREMENTS DEFINITION TEC.11 REQUIREMENTS ANALYSIS TEC.12 SERVICE LEVEL MANAGEMENT TEC.13 ARCHITECTURAL DESIGN TEC.14 DEVELOPMENT IMPLEMENTATION TEC.15 CONTINUITY, AVAILABILITY AND CONTINGENCY MANAGEMENT ITS.1 DOMAIN ENGINEERING ITS.2 ASSET MANAGEMENT AGR.1 ACQUISITION AND CONTRACT MANAGEMENT AGR.2 SUPPLY MANAGEMENT AND BUSINESS RELATIONSHIPS MAT.1 QUANTITATIVE PERFORMANCE MANAGEMENT MAT.2 QUANTITATIVE PROCESS IMPROVEMENT ITA 2016 BPL Version

4 Preface This is the latest release of the Base Process Library and reflects the very latest standards and trends across the industry. Many of you will already be on the path to upgrade your 9001 registrations to the standard, so enhancements to the Base Process Library include mappings to the latest standard, with particular focus on risk management and organisational leadership. A key addition to the scheme is the incorporation of (Public Available Specification). The defines the overall principles for effective software trustworthiness, along with the necessary standards, techniques and processes to address safety, reliability, availability, security and resilience issues. We re also very pleased to see increasing interest in the TickITplus programme, particularly from overseas, and have therefore decided to release the latest version of the Base Process Library through the new International TickITplus Association. We believe this will bring broader appeal to the TickITplus scheme and reflects the multinational nature of the organisations who currently use the scheme. Of course, work doesn t stop here. Our members are already working on additional mappings, including for automotive functional safety. Our aim throughout is to provide a unifying framework to help users implement integrated management systems that are tailored to meet their business needs. Peter Lawrence Msc FBCS CITP FIQA CQP Chairman of the ITA ITA 2016 BPL Version

5 Acknowledgements ITA BPL Working Group Members Dave Wynn Sue Turner Folke Nillson Peter Lawrence Roger Gamage (Omniprove) (turner-solutions.co.uk) (QualityIT) (CSC) (CPIS) Reviewed by ITA Special thanks to: BPL V1.2.0 Rob Acker John Slape Paul Breslin Bal Matu Arthur Hill BPL V1.1.3 Phil Willoughby Rose Jones Irene Dovey Sue Turner BPL V1.1.2 John Davenport Rob Acker John Slape Alan Calder Sophie Erskine (LRQA) (LRQA) (DNVGL) (BSI and Develop Capability) (LRQA) (BSI) (Nexor) (L-3 ASA) (TCS) (LRQA) (LRQA) (ITG) (BSI) ITA 2016 BPL Version

6 Introduction 1 Overview This is the baseline document for the TickITplus Base Process Library (BPL), and it is also part of the initial baseline documentation set for TickITplus. It details: Scope Profile to process mapping. Processes. Mapping between requirement and reference standards and processes. 2 Coverage This version of the BPL provides coverage of, /IEC :, /IEC and 754 for all 40 TickITplus processes and the eight TickITplus Scope Profiles: Information Management and Security. Service Management. Systems and Software Development and Support. Project and Programme Management. Corporate Strategy Planning and Management. Legal and Compliance. Product Validation, Quality and Measurement. IT Systems Engineering and Infrastructure. 3 Scope Profiles Table 1 shows the mapping of Scope Profiles to processes taken from the TickITplus Core Scheme Requirements. The Domain Engineering process is not selected under any Scope Profile and therefore is always a Type C process is the core mandatory standard for the TickITplus scheme and is required in all cases. Therefore, in order to gain certification under TickITplus there must be an 9001 scope statement and at least 1 associated Scope Profile selected. In order to include certification for the other standards a number of rules must be satisfied: To include /IEC : the Service Management Scope Profile must be selected. To include /IEC the Information Management and Security Scope Profile must be selected. To include 754 the Systems and Software Development and Support Scope Profile must be selected. ITA 2016 BPL Version

7 These Scope Profiles can exist on their own and still achieve 9001 and the other standards as long as the organization s 9001 scope is in those areas, e.g. the Information Management and Security Scope Profile can exist on its own and achieve /IEC 27001, so long as the organization provides information management and security services or products under its 9001 scope. 4 Use of the process descriptions It is a requirement of the scheme that the Process Reference Model (PRM) and Process Assessment Model (PAM) are populated with the process contents as described in this document, according to the scope. Once created, both the PRM and PAM must be subject to version control and comply with the requirements of the current scheme baselines, as identified on the TickITplus website, Detailed requirements for the make-up of the PRM and PAM are contained in the TickITplus Core Scheme Requirements supported by the Base Process Library Guidance, which are part of the scheme documentation. However, in summary, for all processes in scope, all base practices and work products must be addressed by the PRM and PAM. It should be noted that the BPL processes do not repeat the requirements of the referenced clauses of the mapped standards, and, consequently, in implementing an organizational PRM, the requirements of associated clauses in the mapped standards must be considered. In some cases the work product names are enclosed in square brackets, i.e. [ ]. These aim to illustrate where the input or output work product is an entity or aspect that is not normally considered a work product. For example, the [Commercial Environment] and [Operating Environment] entries represent the environment in which an organization operates, e.g. legal requirements, operating conditions based on culture, accepted practice and economics. Another example is [Identified Stakeholder] which represents groups of people involved in the process. A change request form is available to cover all TickITplus documentation and can be found on the official TickITplus website. ITA 2016 BPL Version

8 Table 1: Scope Profile to process mapping Type Group No Information Management and Security Service Management Systems and S/W Development and Support Project and Programme Management Corporate Strategy Planning and Management Legal and Compliance Product Validation, Quality and Measurement IT Systems Engineering and Infrastructure Human Resource Management A ORG 1 Management Framework A ORG 2 Corporate Management and Legal A ORG 3 Infrastructure and Work Environment Management A ORG 4 Improvement A ORG 5 Measurement and Analysis A ORG 6 Customer Focus A ORG 7 Risk Management A ORG 8 Programme Management B/C ORG 9 Lifecycle Model Management B/C ORG 10 Resource Management B/C ORG 11 Security Management B/C ORG 12 Project Management B/C PRJ 1 Decision Management B/C PRJ 2 Configuration and Change Management B/C PRJ 3 Information Management B/C PRJ 4 Problem and Incident Management B/C PRJ 5 IT Finance Management B/C PRJ 6 Management Reporting B/C PRJ 7 Data Management A TEC 1 Capacity Management B/C TEC 2 Integration Management B/C TEC 3 Verification B/C TEC 4 Validation B/C TEC 5 Transition and Release Management B/C TEC 6 Operations Management B/C TEC 7 Maintenance Management B/C TEC 8 Disposal B/C TEC 9 Stakeholder Requirements Definition B/C TEC 10 Requirements Analysis B/C TEC 11 Service Level Management B/C TEC 12 Architectural Design B/C TEC 13 ITA 2016 BPL Version

9 Type Group No Information Management and Security Service Management Systems and S/W Development and Support Project and Programme Management Corporate Strategy Planning and Management Legal and Compliance Product Validation, Quality and Measurement IT Systems Engineering and Infrastructure Development Implementation B/C TEC 14 Continuity, Availability and Contingency Management B/C TEC 15 Domain Engineering C ITS 1 Asset Management B/C ITS 2 Acquisition and Contract Management B/C AGR 1 Supply Management and Business Relationships B/C AGR 2 Quantitative Performance Management M MAT 1 Quantitative Process Improvement M MAT 2 ITA 2016 BPL Version

10 5 BPL applicability The table below shows the applicability and impact of the latest version of the BPL. Major changes to Scope Profiles are represented by an M and minor changes by an m. Table 2: BPL applicability and user impact BPLB Designation Information Management and Security Service Management Systems and S/W Development and Support Project and Programme Management Corporate Strategy Planning and Management Legal and Compliance Product Validation, Quality and Measurement IT Systems Engineering and Infrastructure Comments M M M M M M M m M m M M m m m M M M M M M M M M This is the first release and impacts the two initial Scope Profiles. This release introduces new Scope Profiles, processes and some amendments to existing processes which therefore affect existing users of the BPL. This release introduces the remaining processes along with a few minor changes to existing processes. This version introduces mapping and changes to support 1 along with mapping and additional outcomes to support and /IEC 2005 mappings have been removed 2 1 As a consequence of introducing there have been a number of changes to the /IEC mappings to provide better alignment. 2 As this is a major change resulting from the up-issue of 9001, the transition requirements to this version are the same as the transition for. Note, that during the transition period, version of the BPL remains valid, but the references to /IEC 2005 are now obsolete. ITA 2016 BPL Version

11 TickITplus Processes ORG.1 Human Resource Management Process ID ORG.1 Process Name Human Resource Management Category Organizational Processes Type A Process Purpose To ensure that the resources required to meet the business plan are available. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Human resources are provided to meet the business plan and no impact from lack of human resources is evident. BP.1 Establish Human Resource Policies and Procedures Policies are established, approved and communicated that ensure human resources are identified, provided, managed, developed and released. Policies take into account all statutory, regulatory and security requirements. Procedures are defined, approved and made available for use, to implement the human resources polices. The policies and procedures are maintained under the management framework. Management Framework Human Resource Policies Human Resource Procedures 4.4.1c BP.2 Identify the Required Human Resources Organizational human resource needs are identified based on business needs, including both direct delivery requirements and indirect functional support. Human resource requirements are defined, reviewed, approved and communicated to all stakeholders. Delivery Needs Human Resource Requirements 4.4.1d 5.1.1e g c 5.2d 6.4a 5.1c 7.1 BP.3 Satisfy Human Resources Requirements Human resources are made available to meet the business plan using development, recruitment or reduction as appropriate. The recruitment programme is based on organizational policies, delivery needs and recognized business constraints, and is reviewed by top management on a periodic and event driven basis. Recruitment is undertaken according to procedures, and records are maintained. Reduction plans are established, reviewed and approved for the reduction of human resources. When staff leave the organization, identified exit requirements are satisfied, including return of assets and removal of access. Exit assessments are conducted to identify corrective action or improvement opportunities. Human Resource Requirements [Human Resources] Improvement Request Recruitment Programme Reduction Plans 4.4.1d 5.1.1e e c 5.3c 5.1c 7.1 A7.1 A7.3 ITA 2016 BPL Version

12 BP.4 Allocate Human Resources Human resources are allocated to satisfy the identified needs based on the required resourcing levels, business risks, timescales and compatibility. Where the identified need cannot be fully satisfied, the gap is identified and managed. Roles, responsibilities (including those related to security) and objectives are clearly established and agreed with each human resource in a timely manner. [Human Resources] Job Descriptions Organizational Chart 4.4.1e d 8.5.1e 4.1.3a 4.4.2d 4.5.3b 5.3 A7.2 BP.5 Induct Human Resources Individual induction programmes are defined, approved and provided to all new human resources and human resources that have changed roles. Induction records are maintained. The effectiveness of the induction programmes is measured, and where needed, corrections and improvements are made. [Human Resources] Corrective Action Request Improvement Request Induction Programmes Induction Records g A7.2 PE.02 BP.6 Assess Human Resource Performance Assessment criteria are identified, approved and used as part of the assessment. Human resources are formally assessed on a periodic and event driven basis to provide feedback from line management, set specific objectives and determine development needs. Mutually agreed records of assessments are confidentially maintained. [Human Resources] Assessment Criteria Assessment Record Development Needs g PE.02 BP.7 Develop Human Resources Human resource development needs are identified on a periodic and event driven basis to satisfy business needs. Development plans are defined and approved to satisfy the identified needs. The effectiveness of human resource development is measured. Where needed, corrections and improvements to the development approach are made. [Human Resources] Business Needs Delivery Needs Development Needs Development Records Improvement Request g A7.3 PE.02 OU.2 The organization has externally recognized subject matter experts. BP.8 Benefit from the Subject Matter Expert A network is established of internal subject matter experts, listing their area of expertise and mode of support. The network is supported by a defined mechanism to support the exchange of information between the subject matter experts and the organization. Subject matter experts are encouraged and supported to promote their recognized knowledge externally, to enhance the reputation of the organization. Job Descriptions Organizational Chart Assessment Record Development Records PE.01 ITA 2016 BPL Version

13 ORG.2 Management Framework Process ID ORG.2 Process Name Management Framework Category Organizational Processes Type A Process Purpose To establish a formal system of policies, processes, procedures, lifecycle models and reviews. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products The organization achieves business goals and objectives through the implementation of an effective management framework. BP.1 Establish Management Framework Policies Policies are established, approved and communicated to ensure that the management framework is implemented, communicated and understood throughout the organization to achieve the business plan. Policies are communicated so all staff understand how their roles and responsibilities contribute to achieving the business needs and objectives. Policies are periodically reviewed and updated in line with the business plan. The policies are maintained under the management framework. Management Framework Policies 4.4.1c a a a c 5.3f a 7.4 BP.2 Establish an Integrated Management System (IMS) An IMS is established that consists of defined lifecycles, processes, procedures, standards and supporting documentation to ensure effective implementation of policies. The scope of the IMS and the interaction between the elements of the IMS are documented. Objectives are appropriately established throughout the organization to understand the performance of the Integrated Management System The IMS is deployed through formal training, coaching and regular communication that ensures the organization supports the effective implementation and operation of the IMS, and appreciates the potential consequences of not doing so. The latest applicable version of the IMS is made readily accessible to all staff. Management Framework Policies Integrated Management System h b f 5.3h f A5.1 CM.02 BP.3 Audit IMS Compliance Audits are undertaken objectively to ensure conformance to requirements and effective implementation of the IMS. Audits are planned and scheduled in line with the impact, importance and risk of the activities being performed, including consideration of previous audit findings. The audit findings are recorded and communicated to all stakeholders for subsequent remedial and corrective actions. All actions are tracked to closure, and records maintained. Audit Finding Audit Schedule Audit Finding Audit Report Audit Schedule f h 9.2 A12.7 CM.02 ITA 2016 BPL Version

14 BP.4 Collect Analyse and Use Measures Measures are collected, analysed and used to report, review and improve the effectiveness and implementation of the IMS. Measures cover the level of implementation (adoption and compliance) and effectiveness of the IMS. The measures are analysed and reported. Actions are raised to address adverse conditions and to propose improvements. Measurement and Analysis Data Process Measures Corrective Action Request Improvement Request Process Analysis Report 4.4.1g 4.4.2b 5.1.1g 8.5.1c e 5.1g CM.02 BP.5 Schedule and Hold Reviews Periodic reviews are held to check the effectiveness and performance of the IMS, to identify preventive actions and to make recommendations for improvements. Reviews are undertaken at appropriate levels within the organization. Audit Report Improvement Request Process Analysis Report Review Records Risk Reports Supplier Performance Report Business Needs Business Objectives Human Resource Requirements Improvement Request Infrastructure Requirements Review Records Work Environment Requirements 5.1.1g 5.1.1i f e 5.1g A18.2 CM.02 ITA 2016 BPL Version

15 ORG.3 Corporate Management and Legal Process ID ORG.3 Process Name Corporate Management and Legal Category Organizational Processes Type A Process Purpose To provide top-level management of business needs, objectives and performance within a legal framework. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Top management is fully engaged in the operation of the business, and overall performance is improving. BP.1 Identify Business Needs and Objectives The organization identifies a clear description of overall business needs and objectives that can be implemented within the statutory and regulatory frameworks and commercial environment in which the organization operates. The internal and external factors that influence and affect the organization's ability to deliver products and services are identified and understood. [Commercial Environment] [Operating Framework] [Stakeholders] Statutory and Regulatory Requirements Business Needs Business Objectives a 4.3.1a 4.5.2a a GV.01 BP.2 Establish A business plan is prepared to define, communicate and implement the strategies necessary to meet business needs and objectives throughout the organization, including consideration of the internal and external influences and factors. The business plan details corporate responsibilities, accountabilities and authorities, along with their dependencies and interaction. The business plan is reviewed at least annually, and as required, to address changes in the operating framework, commercial environment, or statutory and regulatory requirements. Business Needs Business Objectives Risks d 4.1.3a BP.3 Establish and Communicate the Management Framework A management framework is established to enable the organization to meet business needs and objectives according to the business plan. The management framework comprises policies, objectives, communication channels, reviews and resources including authorities, responsibilities and roles. The purpose and intent of the Management Framework is communicated throughout the organization to provide adequate awareness of the benefits of effective implementation and potential consequences of ineffective implementation. Management Framework b 4.5.2d ITA 2016 BPL Version

16 BP.4 Manage the Organization Top management ensures all financial, material, service and human resources necessary to operate the business are made available, consistent with the business plan. Organizational activities are undertaken according to the processes and procedures laid down in the Integrated Management System (IMS). Management Framework Business Results Human Resource Requirements Infrastructure Requirements Work Environment Requirements b 4.1.1c 4.1.1e a BP.5 Manage Business Performance Top management regularly monitors the Management Framework performance against the business plan, and reviews the effectiveness of the IMS in achieving business needs and objectives. Customer feedback, measures, and risks are identified, analysed and reviewed. Planned action is taken to improve the Management Framework where performance deviates from the business plan, or the IMS is not effective in meeting business needs and objectives. Records of monitoring and review are maintained. Business Results Customer Feedback Measurement and Analysis Data Risks Business Needs Business Objectives Corrective Action Request Improvement Request Management Framework Monitoring Records Review Records Risk Mitigation Actions f 4.1.1g A18.2 CM.02 OU.2 Top management clearly understand the implication of delivering trustworthy products, and there is no organizational exposure. BP.6 Understand the Environment for Trust The organization has a risk managed approach for the consideration of factors that influence the trustworthiness of the products. These include as a minimum the needs for assurance, privacy and the special factors relating to cryptography. This understanding is reconsidered and maintained on an ongoing basis. [Situational Awareness] Statutory and Regulatory Requirements Management Framework Risks GV.02 BP.7 Implement a Management Framework to Control Trust The framework ensures that organizational groups involved in the provision of trustworthy products are established such that appropriate checks and balances are in place. A Trustworthy Software Release Authority role is identified from higher management to take organizational responsibility for ensuring trustworthy products and services. The role ensures that all third party products are formally accepted. Management Framework Risks Job Descriptions Organizational Chart GV.03 ITA 2016 BPL Version

17 ORG.4 Infrastructure and Work Environment Management Process ID ORG.4 Process Name Infrastructure and Work Environment Management Category Organizational Processes Type A Process Purpose To provide the infrastructure, services and working environment to support organizational activities. Version V4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Infrastructure is made available, and organizational activities are not impaired by issues relating to the infrastructure or work environment. BP.1 Establish Infrastructure and Working Environment Policies Policies for managing the infrastructure and work environment are established, approved and communicated, to satisfy the business plan. Policies take into account all statutory, regulatory and security requirements for the infrastructure and work environment. The policies are maintained under the management framework. Management Framework Infrastructure and Work Environment Policies 4.4.1c d 4.3.1c 4.4 A9.1 A9.4 A11.1 A11.2 A13.1 BP.2 Identify Infrastructure and Work Environment Needs The organization identifies and engages with stakeholders to gain a clear understanding of the required infrastructure and environmental conditions needed to support business objectives. Infrastructure and work environment requirements are documented in a way that provides clear understanding and visibility to all stakeholders. Delivery Needs Infrastructure and Work Environment Policies Infrastructure Requirements Work Environment Requirements 4.4.1d 5.1.1e b c 4.5.2g c 5.2d 5.3e 5.3k 5.1c 7.1 A11.1 A11.2 A12.1 BP.3 Establish and Manage Infrastructure The infrastructure is established in accordance with the work environment requirements, verified and validated to ensure that it satisfies the identified requirements. The infrastructure is maintained under configuration and change management. The work environment is monitored and the infrastructure managed to ensure that it continues to meet identified business needs. Infrastructure Requirements Work Environment Requirements [Infrastructure and Work Environment] Infrastructure and Work Environment Description b 8.5.1d c c 7.1 A11.1 A11.2 A12.2 A12.3 PH.01 PH.02 BP.4 Disposal of Infrastructure Disposal of redundant infrastructure and equipment is managed to ensure compliance with environmental, regulatory and legal requirements. Records of disposal are maintained. [Infrastructure and Work Environment] Infrastructure and Work Environment Policies Disposal Records d A11.1 A11.2 ITA 2016 BPL Version

18 ORG.5 Improvement Process ID ORG.5 Process Name Improvement Category Organizational Processes Type A Process Purpose To continually improve the effectiveness and efficiency of the organization in achieving its business objectives. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Improvement is undertaken, and the organization achieves verifiable business benefits. BP.1 Establish Policy and Procedures for Improvement A policy for improvement is established, approved and communicated for implementing improvements. Procedures are defined, approved and made available for use. The procedures cover the identification, selection, analysis, planning, monitoring and review of improvements. The policy and procedures are maintained under the management framework. Management Framework Corrective Action Procedure Improvement Policy Improvement Procedure Preventive Action Procedure 4.4.1c d 4.1.2c d BP.2 Analyse Improvement Opportunities Improvement opportunities are analysed and selected on the basis of feasibility, cost and benefit. Selected improvement opportunities are prioritized and aligned against existing improvement plans. The approach to implementing the improvement opportunities is defined, and the benefits are expressed such that they can be verified. Improvement Request Improvement Approach Tracking System Records 4.4.1h 5.1.1i g 9.3.3a j g A16.1 BP.3 Implement the Improvements An improvement plan is established that identifies the objectives, actions, resources, responsibilities, and timescales for completion of the selected improvements. The plan covers both the activities necessary to implement the improvements and to verify the resulting benefits. The improvement plan is verified, approved and implemented. Improvement Approach Improvement Plan 4.4.1h 5.1.1i 6.1.1d b g 10 A16.1 BP.4 Monitor and Review The improvement plan is monitored, and action taken to ensure that improvement objectives are achieved. Completed improvements are reviewed to verify that the planned benefits have been achieved. Improvement Plan Improvement Verification Record 4.4.1h 5.1.1i f j g A16.1 ITA 2016 BPL Version

19 ORG.6 Measurement and Analysis Process ID ORG.6 Process Name Measurement and Analysis Category Organizational Processes Type A Process Purpose To provide information to enable better decision-making. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Measurements are used to demonstrate achievement of business objectives, to support decisions and identify improvement. BP.1 Define Measurement and Analysis Policy and Procedures A policy is established, approved and communicated to ensure that measures are identified, collected, analysed, reported and used, to support the achievement of the business plan. Procedures are defined for developing measures against key business objectives, to understand performance. The procedures define the method for identifying, collecting, storing, analysing and using measures. The policy and procedures are maintained under the management framework. Management Framework Measurement and Analysis Policy Measurement and Analysis Procedures 4.4.1c l BP.2 Identify Measurement Objectives and Data The organization establishes where measures are necessary and identifies the objectives and data sources necessary to achieve them. The objectives and data sources are reviewed and agreed by stakeholders. Business Objectives Measurement Data Sources Measurement Objectives 4.4.1c a 8.5.1a 8.5.1b a 4.5.2a 4.5.2l a 5.2j 5.3k CM.02 BP.3 Collect and Analyse Measurement Data Measurement data is collected and stored in line with the collection method. The measurement data is validated, and any need for additional measurement is identified. The measurement data is analysed to provide indicators and recommendations to stakeholders. Measurement Data Sources Measurement Objectives Measurement and Analysis Data Measurement and Analysis Report f b d CM.02 BP.4 Use Measurement Information Stakeholders review the indicators and recommendations. Actions are put in place to implement agreed recommendations, which are documented and tracked to completion. Measurement and Analysis Report Corrective Action Request Improvement Request Preventive Action Request 4.4.1g c CM.02 CM.02 ITA 2016 BPL Version

20 ORG.7 Customer Focus Process ID ORG.7 Process Name Customer Focus Category Organizational Processes Type A Process Purpose To establish and manage a positive relationship with the customer by understanding their business needs, objectives and expectations. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products The organization has a complete understanding of the relationship with its customers and is in a position to address all negative feedback successfully. BP.1 Establish Business Relationship Framework The organization identifies and documents its customers and other stakeholders, along with the processes, roles and responsibilities for managing the relationships. [Identified Stakeholders] Customer Relationship Management Plan h BP.2 Establish Customer Focused Procedures Procedures for managing customer relationships are defined, including agreeing requirements, review, customer feedback, risks, complaints and escalations. The procedures are maintained under the management framework. Customer Relationship Management Plan Management Framework Customer Feedback Procedures BP.3 Collect and Analyse Customer Feedback Agreed requirements are implemented and stakeholder feedback is collected and understood with the aim of driving improvements. Customer complaints are addressed within agreed timescales. Risks associated with customer feedback are understood and managed. Customer Feedback Procedures Customer Feedback Customer Relationship Report Risks c 8.5.5d 8.5.5e a 6.2f BP.4 Review Relationship Regular communication takes place between the organization, customer and other stakeholders to review the extent to which the needs, objectives and expectations of the customer are met. Action is taken to address any identified issues or improvement opportunities. Customer Relationship Management Plan Corrective Action Request Improvement Request Review Records 4.4.1h 5.1.1i ITA 2016 BPL Version

21 ORG.8 Risk Management Process ID ORG.8 Process Name Risk Management Category Organizational Processes Type A Process Purpose To avoid or mitigate potential future events that could adversely affect reaching business objectives. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Risks are managed and business objectives are not adversely affected by unexpected conditions or events. BP.1 Define Risk Management Procedures Procedures for managing risk are defined, including the development of plans, criteria for accepting risks, identification and analysis of risks, establishing mitigating actions, and tracking, reporting and escalation of risks. The procedures are maintained under the management framework. Management Framework Risk Management Procedures c BP.2 Establish Risk Management Plan A risk management plan is defined for use by the organization. This risk management plan includes the approach to be taken, roles and responsibilities, timescales and thresholds for triggering action. Risk Management Procedures Stakeholder Requirements Risk Management Plan j 6.6.1b 8.1 BP.3 Identify and Analyse Risks Risks, both internal and external, are identified, analysed and documented to determine the priority for action when thresholds are met. Actions identify activities to reduce, avoid, transfer or communicate acceptance, responsibilities and timescales, including expected risk occurrence event. Risk assessments are reconsidered on a periodic and event driven basis. Business Needs Business Objectives Risk Management Plan Risk Mitigation Actions Risks 4.4.1f d d a 5.2f d 6.6.3a RI.01 BP.4 Track Risks The status of each risk is monitored, and appropriate actions are taken to address risks, where planned triggers are activated or defined thresholds are exceeded. Actions are reviewed to ascertain their effectiveness and changes are made. The risk management documentation is updated with the status of current risks. All actions are tracked to closure, and records are maintained. Risk Management Plan Risks Risk Records 4.4.1f d e RI.01 RI.02 BP.5 Report Status and Escalate The status of each risk, together with any actions, is reported to stakeholders. Where actions are not effectively addressing the risk, they are escalated. Risk Management Plan Risk Records Risk Reports 4.4.1f e e h 9.3e RI.01 RI.02 ITA 2016 BPL Version

22 BP.6 Analyse Risk Management Performance Data on the performance of risk management across the organization is collected, reviewed and analysed in order to indicate how well risk management is working and to identify improvements when needed. Risk Reports Improvement Request 4.4.1g 5.1.1i 6.2.2e c b OU.2 Comprehensive and explicit understanding of risks to the delivery of trustworthy products and services exists, and there are no susceptibilities. BP.7 Understand the Technical Factors Influencing Trust The organization maintains a full understanding of technical risks associated with the delivery of trustworthy products and services which include as a minimum the maturity of the technology used and associated vulnerabilities and exposures. [Situational Awareness] Risks RI.02 ITA 2016 BPL Version

23 ORG.9 Programme Management Process ID ORG.9 Process Name Programme Management Category Organizational Processes Type B/C Process Purpose To ensure that related projects achieve their objectives. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products The organization achieves programme objectives in a coordinated manner and the delivery of related projects are on time, in budget and to quality. BP.1 Identify and Plan the Programme Projects and other work that would benefit from coordination are identified and managed as a programme. The scope of each project is understood and a programme plan and schedule is produced that includes governance and objectives, project alignment and dependencies, stakeholder involvement, risks and issues and reporting. The programme plan is reviewed by stakeholders and approved by management. The programme is initiated following formal approval. The programme governance and objectives are communicated to the stakeholders and participants along with the programme plan and schedule. [Projects] Programme Plans Programme Schedules BP.2 Monitor and Control the Programme Project and work reports are made available to enable the progress of the programme to be determined against its goals and objectives. Regular programme progress reviews take place with stakeholders, and records are maintained. Programme issues are documented, reviewed and resolved in a timely manner. Issues that cannot be addressed are escalated to higher levels of management. Programme risks and mitigating actions are reviewed on a periodic and event driven basis. Issues Programme Plans Programme Schedules Risks Issues Programme Reports Risks d b 10.2 BP.3 Manage Changes to the Programme Programme changes are documented, reviewed, approved and addressed. The impact of a programme change is determined and approved by appropriate stakeholders. Changes are documented, and records maintained. Change Request Programme Plans Programme Schedules Change Record Programme Plans Programme Schedules ITA 2016 BPL Version

24 ORG.10 Lifecycle Model Management Process ID ORG.10 Process Name Lifecycle Model Management Category Organizational Processes Type B/C Process Purpose To define, develop and assure the availability of lifecycle policies, processes, models, procedures and associated assets for use by the organization. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products The organization uses defined lifecycle models with no implementation tailoring. BP.1 Establish Lifecycle Model Management Policy and Procedure A policy is established, approved and communicated to govern the management and development of lifecycle models within the business. The policy and procedure ensure that the needs of the customer and other stakeholders are accommodated through use on projects. A lifecycle model management procedure is defined to create, pilot, deploy and maintain lifecycle models, processes and associated assets. The policy and procedure are maintained under the management framework. Management Framework Lifecycle Management Policy Lifecycle Management Procedure 4.4.1c BP.2 Identify the Need for a Lifecycle Model The organization identifies the need for new or revised lifecycle models through feedback. Feedback comes from project tailoring and performance, customer needs and feedback, and industry developments and measures. The need, purpose and effort required to develop the new or revised lifecycle model is defined and agreed. Customer Feedback Industry Developments Measurement and Analysis Report Project Performance Data Project Tailoring Stakeholder Requirements Development Estimate and Approval New Lifecycle Scope Statement TE.01 BP.3 Define the Lifecycle Model The organization reviews the available approaches and best practices within the organization and industry, and identifies or develops the most appropriate lifecycle model. The lifecycle model is documented. The criteria for when to use the lifecycle model is stated together with how it can be tailored in order to meet specific business needs. New Lifecycle Scope Statement Lifecycle Model Description and Assets TE.01 TE.02 TE.03 BP.4 Pilot The lifecycle model is piloted within the organization to ensure that it achieves its purpose. Feedback from the pilot is assessed and used to improve the lifecycle model before deployment. Lifecycle Model Description and Assets Pilot Results 8.1b 8.5.1f ITA 2016 BPL Version

25 BP.5 Review the Lifecycle Model The lifecycle model is reviewed on a periodic or event driven basis to determine its effectiveness and efficiency in line with the business needs and objectives. Data and information from projects are used to identify opportunities to improve the lifecycle models, processes and associated assets. Project Performance Data Improvement Request 4.4.1g 4.4.1h 5.1.1i 6.2.2e 10.1a 10.1c 10.3 CM.02 ITA 2016 BPL Version

26 ORG.11 Resource Management Process ID ORG.11 Process Name Resource Management Category Organizational Processes Type B/C Process Purpose To manage IT related resources throughout the organization. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products Resources are provided to meet the plans and no impact from lack of resources is evident. BP.1 Establish Resource Management Procedures Resource management procedures are defined, approved and made available for use. The procedures cover the identification of resources and associated constraints, resource allocation, usage, maintenance, upgrade, storage and disposal. The procedures are maintained under the management framework. Management Framework Resource Management Procedures b BP.2 Identify the Required Resources The organization identifies required resources based on business needs including infrastructure and work environment, corporate management and legal, and project management. Constraints that will affect the provision of resource needs are identified based on business limitations. Resource requirements and constraints are documented, reviewed, approved and communicated to stakeholders. Business Needs Human Resource Requirements Infrastructure Requirements Work Environment Requirements 4.4.1d 6.2.2b e 4.1.1e c 4.5.2g 4.5.2k c 5.2d BP.3 Provide Resources Plans are established, reviewed and approved for the provision of resources in accordance with procedures. Resources are made available to meet the requirements through acquisition, managed allocation of existing resources or development, in accordance with plans. Records of the provision of resources are maintained. Human Resource Requirements Infrastructure Requirements Work Environment Requirements Resource Plans Resource Provision Records 5.1.1e e 4.1.1e c 6.5 BP.4 Allocate Resources Resources are allocated to satisfy requirements in accordance with the resource plans. Where the identified need cannot be fully satisfied the resource shortfall or conflict is identified and managed. Human Resource Requirements Infrastructure Requirements Resource Plans Work Environment Requirements Asset Log Resource Provision Records e 8.5.1f ITA 2016 BPL Version

27 BP.5 Manage Resource Usage Resource usage and allocation is monitored and managed. Adjustments are made to accommodate shortfalls or surpluses in resources. Resourcing issues are escalated to higher management when effective adjustments cannot be made. Asset Log Issues Resource Plans Asset Log Resource Plans Resource Provision Records BP.6 Maintain and Update Resources Resource incidents and problems are assessed and resolved. Routine maintenance of resources is carried out according to planned arrangements, and records are maintained. Resource updates and enhancements are applied under change management. Asset Log Incident Reports Maintenance Records Problem Reports BP.7 Reuse and Disposal of Resources Resources that are no longer allocated are made available for reuse. Resources that are no longer required by the business are considered for disposal in accordance with approved disposal arrangements. Asset Log Asset Log ITA 2016 BPL Version

28 ORG.12 Security Management Process ID ORG.12 Process Name Security Management Category Organizational Processes Type B/C Process Purpose To ensure the protection and availability of information assets. Version v4r0 Process Outcome Process Base Practices Input Work Products Output Work Products There is no damage to the organization, stakeholders or customers arising through the mishandling or loss of information. BP.1 Establish Security Management Policies and Procedures Policies for identifying and managing the security of business information assets are established, approved and communicated. Policies take into account any business and regulatory requirements for security management. The procedures are defined, approved and made available for use to implement the security management policies. Procedures comprise identifying the information assets which require security management and how appropriate records are maintained. The policies and procedures are maintained under the management framework. Management Framework Security Policies Security Procedures 4.4.1c A5.1 BP.2 Managing Information Security The organization assigns an individual to be responsible for information security. A team is selected to review and coordinate security activities on a regular basis. Ongoing consideration is given to ensure that emerging threats and vulnerabilities, both internally and externally, are understood and taken into account. Potential and actual security breaches are managed in accordance with Problem and Incident Management. [Security Incidents] Security Policies Security Procedures Incident Records Security Responsibilities A6.1 A16.1 BP.3 Identify and Manage Risks The organization identifies and assesses risks to information assets, considering compromises of confidentiality, integrity and availability. The information security risk assessment covers all business, contractual and regulatory requirements. Control objectives are selected to reduce risk in line with management s risk appetite. Controls are selected to achieve control objectives. Asset Log Risk Management Procedures Security Policies Security Procedures Risk Records Risks Security Plan ITA 2016 BPL Version

29 BP.4 Implement and Manage Controls The controls are implemented, evaluated and managed in accordance with the management framework. Changes to the provision of services are raised through the formal change management process and are assessed for the impact on the security controls. Security incidents are recorded and analysed for corrective action and improvement opportunities. Change Request Management Framework Security Plan Change Record Corrective Action Request Improvement Request Security Controls OU.2 The organization fully understands the coverage of security controls and does not experience damage from unexpected security incidents BP.5 Security Coverage is Understood and Documented The organization fully understands and has documented the extent and coverage of the implemented security controls. The extent and coverage of the security controls is reviewed on a periodic and event driven basis. The documentation is maintained under change and configuration management. Risk Records Security Controls Risk Treatment Plan Statement of Applicability BP.6 Proactively Monitor Effectiveness of Controls The organization implements proactive monitoring and review of operational security controls where incidents and events will cause security breaches. Corrective action is undertaken where the controls are considered inadequate and risk treatment plans are updated. Incident Records Risk Treatment Plan Security Controls Corrective Action Request Improvement Request Risk Mitigation Actions A16.1 ITA 2016 BPL Version